Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back > Forums > Linux Forums > Linux - Networking
User Name
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.


  Search this Thread
Old 05-26-2010, 11:56 AM   #1
LQ Newbie
Registered: May 2009
Posts: 4

Rep: Reputation: 0
iptables on two interfaces: need help setting up a nat/firewall

I'm new to iptables and have been trying for days to get it running the way I want, but so far no success.

I have a DHCP/FTP/etc server and I need:
1. The client machines to have internet access, including FTP.
2. The server to have internet access, including FTP.
3. Block everything else coming from the WAN.

I only want HTTP, HTTPS, DNS, and FTP to be allowed through the WAN, everything else must be blocked. Everything can be left wide open on the LAN, I don't care what gets passed around there.

Can anyone help out? I've been reading up on iptables for days and I still can't get it to work. I've tried all kinds of combinations of rules, and so far the only way I can get it to work is to set the policy to ACCEPT.

Here are the basic rules I have set for iptables:
export LAN=eth0
export WAN=eth1

iptables -F
iptables -t nat -F

iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT

iptables -P FORWARD DROP

iptables -P OUTPUT DROP
iptables -A OUTPUT -i lo -j ACCEPT
iptables -A OUTPUT -i $LAN -j ACCEPT

iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
So far, I've just set the FORWARD policy to ACCEPT to get internet access for the clients.

Last edited by Mardok; 05-26-2010 at 12:02 PM.
Old 05-27-2010, 10:06 AM   #2
LQ Newbie
Registered: May 2009
Posts: 4

Original Poster
Rep: Reputation: 0
I'm a step closer:
#Use bash as the shell script

export LAN=eth0 #For readability's sake
export WAN=eth1

iptables -N OPEN-TCP #Create two new chains for handling TCP and UDP packets
iptables -N OPEN-UDP

iptables -P INPUT DROP #Drop anything being recieved by the machine by default
iptables -A INPUT -i lo -j ACCEPT #Accept anything on the loopback device
iptables -A INPUT -i $LAN -j ACCEPT #Accept anything on the LAN
iptables -A INPUT -p tcp -m state --state RELATED,ESTABLISHED -i $WAN -j OPEN-TCP
#If we recieve a TCP packet on the WAN, send it to the OPEN-TCP chain to determine whether it should be dropped or accepted. 
#It will only accept packets that already have an established connection.
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -i $WAN -j OPEN-UDP #Same as above, except with UDP packets.

iptables -P FORWARD DROP #I'll figure out how to handle NAT later

iptables -P OUTPUT DROP #Drop anything sent out by the machine by default
iptables -A OUTPUT -o lo -j ACCEPT #Allow any packet sent out on the loopback device by default
iptables -A OUTPUT -o $LAN -j ACCEPT #Allow any packet sent out on the LAN by default
iptables -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -o $WAN -j OPEN-TCP 
#If any kind of TCP packet is sent out on the WAN, send it to the OPEN-TCP chain to determine if it should be accepted or dropped.
iptables -A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -o $WAN -j OPEN-UDP
#Same as above, except with UDP.

iptables -A OPEN-TCP -p tcp --dport 80 -j ACCEPT #If the port is on 80, accept
iptables -A OPEN-TCP -p tcp --dport https -j ACCEPT #If the port is 443, accept
iptables -A OPEN-TCP -p tcp --dport 1024: -j ACCEPT #This is needed for web browsing.  Is there a more secure way of doing this?
iptables -A OPEN-TCP -j DROP #If none of the above rules match, then drop the packet.

iptables -A OPEN-UDP -p udp --dport 53 -j ACCEPT #If we're doing a DNS lookup, accept
iptables -A OPEN-UDP -p udp --dport 1024: -j ACCEPT #This is needed for web browsing.  NEED MORE SECURE WAY OF DOING THIS!!!
iptables -A OPEN-UDP -j DROP #If the packet doesn't match any of the above rules, drop it.
This allows my machine to get internet access, but I have to open ports 1024:65535 in order to do it.

Is there a way to keep ports 1024:65535 closed, but still be able to get internet access?
Old 05-29-2010, 11:45 AM   #3
Registered: Apr 2010
Posts: 243
Blog Entries: 2

Rep: Reputation: 31
Seems like you're re-inventing the wheel a little bit. There are some firewall builder things out there and other pkgs that can do this via gui.

Even if you don't end up using them they can work as a good teaching tool too. Also checkout firewall distros based on the distro you're using as they will have lots of rules and you can pick and choose.



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables nat problem bouncing through interfaces evilted Linux - Networking 3 04-10-2010 02:06 PM
iptables NAT and tun/tap interfaces j-osh Linux - Networking 0 06-30-2009 01:20 PM
Iptables firewall in multiple lan interfaces Neelesh Linux - Security 3 07-31-2004 01:19 PM
NAT, iptables, firewall, and Windoze AWyant Linux - Newbie 7 09-23-2003 04:30 PM
IPTABLES, NAT & Firewall dsylvester Slackware 1 02-15-2003 07:14 PM > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 07:11 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration